Traefik not work without Target annotation

[mysiki]

What happened:

Using Traefik ingress CRDs with default-targets: args do not work. My ingress is taken by External DNS only when I added the annotation external-dns.alpha.kubernetes.io/target even if default target is setup.

Curious part, without the target annotation nothing happen (no logs even in debug). But When I add this annotation, I have logs which say "didn't use default target because a target is provided" ... So look like an error on "filter level".

What you expected to happen:

Traefik CRDs should work as other, so without static target and using default target.

How to reproduce it (as minimally and precisely as possible):

External DNS config :

ovh:
  provider: ovh
  sources:
    - crd
    - service
    - traefik-proxy
  ## Using extraArgs because is templating
  extraArgs:
    traefik-enable-legacy: null
    txt-owner-id: "cloud-{{ $.Values.global.id_cluster }}"
    txt-wildcard-replacement: "wildcard"
    txt-prefix: _cloud-extdns.
    aws-prefer-cname: null
    ## -- Public load balancer cname
    default-targets: nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com
  policy: sync
  registry: txt
  annotationFilter: external-dns.corp.io/scope in (ovh)
  domainFilters:
    - mycorp.com
  serviceMonitor:
    enabled: true

Args :

   containers:                                                                                                                                                                            
   - args:                                                                                                                                                                                
     - --log-level=debug                                                                                                                                                                  
     - --log-format=text                                                                                                                                                                  
     - --interval=1m                                                                                                                                                                      
     - --source=crd                                                                                                                                                                       
     - --source=service                                                                                                                                                                   
     - --source=traefik-proxy                                                                                                                                                             
     - --policy=sync                                                                                                                                                                      
     - --registry=txt                                                                                                                                                                     
     - --domain-filter=frtcld.com                                                                                                                                                         
     - --domain-filter=pen-euw1-m.mycorp.com                                                                                                                                          
     - --exclude-domains=internal.frtcld.com                                                                                                                                              
     - --annotation-filter=external-dns.corp.io/scope in (ovh)                                                                                                                        
     - --provider=ovh                                                                                                                                                                     
     - --aws-prefer-cname                                                                                                                                                                 
     - --default-targets=nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com                                                                                          
     - --traefik-enable-legacy                                                                                                                                                            
     - --txt-owner-id=cloud-pen-euw1-m                                                                                                                                                    
     - --txt-prefix=_cloud-extdns.                                                                                                                                                        
     - --txt-wildcard-replacement=wildcard    

Ingress :

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    external-dns.corp.io/scope: ovh

## Without this annotation, nothing happen even if default tartget is set
    external-dns.alpha.kubernetes.io/target: nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com

  name: extdns-mft-traefik-whoami-websecure
  namespace: corp-playground
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`tw-websecure.pen-euw1-m.corp.com`)
    services:
    - name: traefik-whoami
      port: 80
  tls:
    secretName: traefik-whoami-internal-certificate-stg

Logs when target annotation (show that default target is read in this case)

time="2026-05-27T14:44:46Z" level=debug msg="Endpoints generated from corp-playground/extdns-mft-traefik-whoami-websecure: [tw-websecure.pen-euw1-m.mycorp.com 0 IN CNAME  nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com []]"
time="2026-05-27T14:44:46Z" level=warning msg="Source provided targets for \"tw-websecure.pen-euw1-m.mycorp.com\" (CNAME), ignoring default targets [nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com] due to new behavior. Use --force-default-targets to revert to old behavior."
time="2026-05-27T14:44:46Z" level=debug msg="OVH: changes CREATE dns:\"tw-websecure.pen-euw1-m.mycorp.com\" / targets:nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com / type:CNAME"
time="2026-05-27T14:44:46Z" level=debug msg="OVH: changes CREATE dns:\"_cloud-extdns.cname-tw-websecure.pen-euw1-m.mycorp.com\" / targets:\"heritage=external-dns,external-dns/owner=cloud-pen-euw1-m,external-dns/resource=ingressroute/corp-playground/extdns-mft-traefik-whoami-websecure\" / type:TXT"
time="2026-05-27T14:44:46Z" level=debug msg="OVH: Add an entry to  zone action(create) : _cloud-extdns.cname-tw-websecure.pen-euw1-m.mycorp.com 0 IN TXT \"heritage=external-dns,external-dns/owner=cloud-pen-euw1-m,external-dns/resource=ingressroute/corp-playground/extdns-mft-traefik-whoami-websecure\""
time="2026-05-27T14:44:46Z" level=debug msg="OVH: Add an entry to  zone action(create) : tw-websecure.pen-euw1-m.mycorp.com 0 IN CNAME nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com."

Anything else we need to know?:

Using default target as CName (maybe not important)

Maybe link to this one where the first analysis "target is mandatory" has be removed from the pbl #3967

Environment:

• External-DNS version (use external-dns --version): image: registry.k8s.io/external-dns/external-dns:v0.20.0
• DNS provider: OVH
• Others: Traefik V2

Checklist

• I have searched existing issues and tried to find a fix myself
• I am using the latest release,
  or have checked the staging image to confirm the bug is still reproducible
• I have provided the actual process flags (not Helm values)
• I have provided kubectl get <resource> -o yaml output including status
• I have provided full external-dns debug logs
• I have described what DNS records exist and what I expected

[mysiki]

Additional info :

• force-default-targets change nothing, I means, it work as expected when Target is set as annotation (overwrite target) but if the target annotation is not present, nothing happen
• I update to the last version, same pbl

[ivankatliarchuk]

Not to sure what's the expectation here. Traefik is 3rd party, external-dns with annotation is the glue. The title is actually a fact, Traefik resources do require annotations.

• Traefik IngressRoutes do not create DNS records without annotation #3967
• Traefik v3 IngressRoute not working in AWS R53 #6015 (comment)

[mysiki]

Can you explain more what you means ?

For me (correct me if I'm wrong) as traefik is part of official external dns source, it should follow the same logic. So Default target should be used if no target is provide.

I means, traefik is enable as source and my ingress have the filter annotation (external-dns.corp.io/scope: ovh in my case), so the operator should be trigger event if the target annotation is not present.
Or this target annotation is mandatory for all other provider than CRDs and I miss it ?

[chris-birch]

I'm having the same issue when using the traefik-proxy source, the --default-targets aren't being set.

Looks like ExternalDNS doesn't analyze the routes unless external-dns.alpha.kubernetes.io/target is set, when using traefik-proxy as a source.

[ivankatliarchuk]

--default-targets is not a general-purpose fallback for all sources. The only source designed to work with it is the crd source (DNSEndpoint), which deliberately emits empty-target endpoints so the flag can fill them in. This is an intentional decoupling pattern specific to the external-dns CRD - not a baseline feature other sources are expected to match.

For Traefik CRDs specifically, there is no built-in equivalent: the source drops any resource that produces no targets before --default-targets ever gets a chance to apply.

Current workarounds:

1. external-dns.alpha.kubernetes.io/target annotation - set the target IP/hostname directly on each ngressRoute/IngressRouteTCP/IngressRouteUDP resource.
2. Deploy DNSEndpoint CRDs alongside Traefik CRDs - create DNSEndpoint objects (via Helm or a script) that reference the same hostnames with an empty targets: list, then let --default-targets fill them in via the crd source. This is the intended pattern for the flag.
3. --fqdn-template — other sources (ingress, service, gateway) support template-derived hostnames, but the Traefik source explicitly does not, so this option is not available there yet.

What you expected to happen:

Traefik CRDs should work as other, so without static target and using default target.

This statement does not reflect currently reality as well. The crd source is the only one designed to cooperate with this flag.

[mysiki]

Thanks for clarification, the fact that --default-targets is not a general-purpose fallback for all sources. The only source designed to work with it is the crd source I didn't found it in the doc (not present or miss search in my side (?) ).

On my side, I have on NLB in front so all record use the same target (with is the NLB CName), it's why I expect this.

It's something that can be changed ? I means, I can "by pass" it by provided a "fake" target in my traefik annotation and use "force-default-targets", but in this case, it's impossible to change the target if needed for exception (so losing this great feature of default-target).

What is the process to change it and allow traefik source to work without "target annotation" ? Need to be validate by any design review or PR in enough ?